Hacking Capabilities of FBI Could Expand Under Pending Legislation

Most users might spend all of their time surfing the Surface Web, or all of those websites which have been mapped out by Google or another standard search engine. The Surface Web might attract a great deal of traffic, but it is only a small portion of the World Wide Web. There’s also the Deep Web, where nothing is indexed.

Hidden away in the corners of the Deep Web is the Dark Web, sites and other content which rely on overlay networks known as darknets that require users to download special software, such as I2P and Tor. In that sense, the Dark Web enables users to access content that they wouldn’t typically find through standard search engines, including drug trafficking and child pornography.

That helps to explain why law enforcement spends a great deal of time navigating the Dark Web. In general, authorities don’t usually have to look far for criminal activity. But the legality of some of their methods is questionable.

For instance, take the story of what happened with Playpen.

In February 2015, the Federal Bureau of Investigations (FBI) seized control of servers responsible for operating the popular Darknet child pornography website. FBI agents then used a tool to help them unmask some of the site’s users so that authorities could arrest them.

“…[The FBI] sought a warrant in the Eastern District of Virginia to employ a network investigative technique (‘NIT’) whereby those users who accessed the target website—hosted in the Eastern District of Virginia—by logging in with a username and password, would be issued certain instructions, causing the ‘activating’ computer to send certain information to a computer run by the Government…. This information included the IP address of the ‘activating”’ computer, a unique identifier generated by the NIT to distinguish ‘activating’ users from one another, and the operating system of the “activating” computer…. The purpose of the NIT was to obtain information to assist the FBI in identifying the ‘activating computers’ and their users.”

The FBI has yet to reveal the details of its NIT despite calls from Mozilla and others to do so. In total, the tool unveiled 1,500 Playpen users, which played a direct role in the FBI’s justification for arresting those individuals.

Numerous legal cases have disputed the legality of the FBI’s actions in court. Most recently, federal judge David Alan Ezra wrote that the FBI should have obtained a warrant as its use of the NIT to track users’ computer activity constituted a “search”:

“[T]he NIT placed code on Mr. Torres’ computer without his permission, causing it to transmit his IP address and other identifying data to the government. That Mr. Torres did not have a reasonable expectation of privacy in his IP address is of no import. This was unquestionably a ‘search’ for Fourth Amendment purposes.”

The Fourth Amendment, as we all know, protects American citizens against unreasonable searches and seizures. In the presence of certain evidence indicating that someone has committed a crime, a judge can issue a warrant that authorizes law enforcement personnel to search a suspect’s property and belongings.

Warrants come with restrictions, however. Typically, a warrant applies to one individual’s crimes, and its purview generally covers only a certain district in which the individual committed those crimes. That means separate judges would need to issue a warrant if one individual engaged in illegal activity in separate districts. That’s generally how warrants work.

But that could all change with respect to digital crime in the near future.

On 1 December, the FBI could expand its hacking and surveillance authorities under a new proposal. The legislation would add some amendments to Rule 41 of the Federal Rules of Criminal Procedure.

“…[A] magistrate judge with authority in any district where activities related to a crime may have occurred has authority to issue a warrant to use remote access to search electronic storage media and to seize or copy electronically stored information located within or outside that district if: (A) the district where the media or information is located has been concealed through technological means; or (B) in an investigation of a violation of U.S.C. § 1030(a)(5), the media are protected computers that have been damaged without authorization and are located in five or more districts.”

The Justice Department has said it needs those rules as part of its ongoing efforts to target botnets, reports WIRED magazine. But there could be some blowback.

According to the Electronic Frontier Foundation’s analysis, users who find themselves victims of a botnet–that is, compromised by malware–could be compromised again by government authorities looking to investigate the malware network. Not only does that second layer of remote access potentially jeopardize a victim’s privacy; it could also potentially do more damage to the computer than if the victim were affected by just one malware infection.

That’s only the half of it, too. As the EFF explains:

“…[T]his change would grant authority to practically any judge to issue a search warrant to remotely access, seize, or copy data relevant to a crime when a computer was using privacy-protective tools to safeguard one’s location. Many different commonly used tools might fall into this category. For example, people who use Tor, folks running a Tor node, or people using a VPN would certainly be implicated. It might also extend to people who deny access to location data for smartphone apps because they don’t feel like sharing their location with ad networks. It could even include individuals who change the country setting in an online service, like folks who change the country settings of their Twitter profile in order to read uncensored Tweets.”

The FBI and other parts of the intelligence community might be justified in seeking these powers. But that doesn’t mean they should be the ones granting themselves those responsibilities.

Here’s how things are looking right now. If Congress does nothing, the rules will automatically come into effect in December. Only if it passes legislation blocking the rules will the U.S. legislature then assume some voice in shaping this discussion.

What do you hope will happen? Do you think the proposed rules are a good idea? Please let us know in the comments!